The California Consumer Protection Act (CCPA) of 2018 went into effect January 1, 2020, but enforcement begins July 1, 2020. This Act expands the personally identifiable information (PII) categories to include name(s), addresses, account names, biometrics, geolocation data, employment information, social security, and drivers’ license and passport numbers; radically changing how organizations collect and manage PII.
Does CCPA impact Churches?
The Answer is Yes. The CCPA covers For-profit legal entities. Not-for-profit organizations, e.g. churches, appear to be exempt. In reality, most churches are probably not selling goods or services, yet their third party service providers do. For example, they collect and use PII for financial and membership management, fundraising and social media engagement.
How to Prepare?
You may have noticed, churches and their service providers updating website “Cookie” and “Privacy” policies and anonymize IP addresses to prevent data aggregation among other things. The reason being the 2018 European Union's General Data Protection Regulation does not exempt Not-for-profit organizations. From collecting and managing PII on donors, employees or even visitors to websites or mobile apps, the prospect for running afoul of GDPR’s regulators motivated churches and their service providers to voluntarily comply.
Now in 2020, many churches and their service providers that are now GDPR compliant are hoping they are legally exempt or that being located outside of California protects them from CCPA compliance. This position is temporary.
We can expect to see similar data protection and privacy laws enacted across the United States based in part on CCPA and GDPR. That is why churches should require all service provider and partners to demonstrate CCPA compliance by offering California and eventually all citizens:
- Access: A comprehensive view of collected PII
- Delete: Digital means to delete or edit their PII
- Disclose: Notification by digital means when and if any PII is collected, used or shared and to whom.
- Opt Out: Allow them to be forgotten or decline the sharing of their PII to others.
Penalties for non-compliance include granting citizens a right to file class action lawsuits against organizations for damages per incident. In addition, the State of California can levy fines for intentional or unintentional violations. The costs can add up to millions of dollars.
Romans 13:1 reminds us to be subject to our governing authorities. Governments worldwide are enacting laws and regulations to respect and ensure peoples privacy. Churches should embrace not avoid such objectives.
Disclaimer: The Author is not a practicing attorney and as such is not offering legal advice
T. Jeff Vining is an IT analyst and blogger to clients, organizations and vendors. He is the former Gartner Research Vice President.